Fortinet warned of a now-patched Wireless LAN Manager (FortiWLM) vulnerability, tracked as CVE-2023-34990 (CVSS score of 9.6), that could lead to admin access and sensitive information disclosure.
“A relative path traversal [CWE-23] in FortiWLM may allow a remote, unauthenticated attacker to read sensitive files.” reads the advisory published by the vendor.
Horizon3.ai security researcher Zach Hanley (@hacks_zach) reported this vulnerability to Fortinet.
The vulnerability impacts the following products:
Hanley explained that the vulnerability CVE-2023-34990 enables remote attackers to exploit log-reading functions via crafted requests to a specific endpoint.
“This vulnerability allows remote, unauthenticated attackers to access and abuse builtin functionality meant to read specific log files on the system via a crafted request to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint. This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system.” reads the report published by Horizon3.ai. “Abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system.”
The experts added that FortiWLM’s verbose logs expose session IDs, enabling attackers to exploit log file read vulnerabilities to hijack sessions and access authenticated endpoints.
Authenticated users’ session ID tokens in FortiWLM remain static per device boot. Attackers can exploit this via the log file read vulnerability to hijack sessions and gain admin access.
The researcher also noticed that the vulnerability CVE-2023-34990 can be chained with CVE-2023-48782 (CVSS score of 8.8) leading to remote arbitrary code execution in the context of root.
Threat actors frequently target Fortinet devices, making it crucial for customers to update their installations promptly.
“While we found it to be popular with State, Local, and Education (SLED) and healthcare focused customers, luckily the internet exposure is fairly limited to around 15 instances.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, FortiWLM)
A critical security configuration in Azure Key Vault has been discovered, potentially allowing users with… Read More
BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with malware… Read More
KEY SUMMARY POINTS Google Calendar Targeted: Hackers are exploiting Google Calendar’s features to send phishing… Read More
Joseph Cox, author of the 2024 book “Dark Wire: The Incredible True Story of the… Read More
Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More
Dec 19, 2024Ravie LakshmananMalware / Botnet Juniper Networks is warning that Session Smart Router (SSR)… Read More